IETF Logo Mail Archive

Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?

Brian Campbell <bcampbell@pingidentity.com> Fri, 28 December 2012 13:59 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56AB321F85C7 for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2012 05:59:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.917
X-Spam-Level:
X-Spam-Status: No, score=-4.917 tagged_above=-999 required=5 tests=[AWL=1.060, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfvJktdPAIjd for <oauth@ietfa.amsl.com>; Fri, 28 Dec 2012 05:59:55 -0800 (PST)
Received: from na3sys009aog103.obsmtp.com (na3sys009aog103.obsmtp.com [74.125.149.71]) by ietfa.amsl.com (Postfix) with ESMTP id CDFE921F853E for <oauth@ietf.org>; Fri, 28 Dec 2012 05:59:54 -0800 (PST)
Received: from mail-ie0-f200.google.com ([209.85.223.200]) (using TLSv1) by na3sys009aob103.postini.com ([74.125.148.12]) with SMTP ID DSNKUN2l2gvjxxVz76QohPfDvmDVml1TZRKR@postini.com; Fri, 28 Dec 2012 05:59:54 PST
Received: by mail-ie0-f200.google.com with SMTP id k13so45768131iea.11 for <oauth@ietf.org>; Fri, 28 Dec 2012 05:59:54 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=22buxQDIlGbHFEIXymsYCwDS0IXsLmkqvV8m7Oj7bSQ=; b=GG7YcMYPjNcSf3QtC06ZW5uU3W2KwDd8JroN/x/H8oymP38eYsUtjoScKdnyyG7OWA ETTjoWcG+Y1aqxluznMbCyaIS3+GNtR46NuZ9x/NwHWEyAFKtnf7f7wDqbBpBg9VXG3Q WGpvo4XmQlsRXbTDX8NNhuUk5ZfeuTekp/2eRxWwPR93jGRyAeGyesV+nKfgWOMk+T6v fhGsr3pilWfea+Dc0x2xWxhvqEwoH3bFeSI3VIs9s8SIX5I9MYzlyPmxbkI8ZNzeZCR/ dMkbmPWizge7xOG+KTOHczVsqla+FVtvyv/gL4jbW3GiSmYWF+32rIHes1k0TvpJ5+KY n4gQ==
X-Received: by 10.50.53.196 with SMTP id d4mr24760219igp.88.1356703194302; Fri, 28 Dec 2012 05:59:54 -0800 (PST)
Received: by 10.50.53.196 with SMTP id d4mr24760215igp.88.1356703194152; Fri, 28 Dec 2012 05:59:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.17.134 with HTTP; Fri, 28 Dec 2012 05:59:24 -0800 (PST)
In-Reply-To: <76EAF572-1701-4FB6-AA20-21831D8055D7@ve7jtb.com>
References: <4E1F6AAD24975D4BA5B1680429673943669A88C1@TK5EX14MBXC283.redmond.corp.microsoft.com> <CE2FF7F1-C630-49E1-A942-C1CEB8ACF93E@ve7jtb.com> <8b1f49ba29404f349af3dc3abb2878e4@BY2PR03MB041.namprd03.prod.outlook.com> <76EAF572-1701-4FB6-AA20-21831D8055D7@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 28 Dec 2012 06:59:24 -0700
Message-ID: <CA+k3eCSVL0fDD18gEHEorm4iBMU7FCdwnDXiWB5pJuWypk7hrg@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="f46d042fdeb2f4009c04d1ea1308"
X-Gm-Message-State: ALoCoQm4xQekeIaveXh4IogGvdzHNER44R/DQ4H1ZR7kEJl9SGjjD7/YZ6Dl2BkEEINc0oeg9HgtdwVEUpU2Q6jhEZYKJjHiTbaW+u6r1jXoJHYrg+xCSIdQfNgiD6q++kEmcNcdm5aS
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Must the Audience value in the Assertions Spec be a URI?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2012 13:59:56 -0000

I believe John meant to refer to Google's adding of the *cid* claim rather
than the *prn* claim.


On Thu, Dec 27, 2012 at 5:53 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> The discussion on the Connect call was that audience could be a literal or
> an array.
>
> example
>
> "aud":["http://audiance1.com","http://audiance2.com"]
>
> In some cases the token may want to have more than a single audience.
> (anthropomorphic license)
>
> in the simple case it would still be
> "aud":"http://audiance1.com"
>
> While dynamic typing of variables is not my favourite thing in principal,
> I am assured that this is common JSON syntax that people can deal with.
>
> The idea is to standardize this rather than everyone coming up with their
> own way around the restriction as google did by adding the prn claim.
>
> At least this way if you only trust tokens with yourself as the audience
> you have a easy way to check.
>
> John B.
>
> On 2012-12-27, at 7:57 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>
> What do you mean by multi-valued and what are the semantics of multi-vale ?
> ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *John Bradley
> *Sent:* Thursday, December 27, 2012 5:32 AM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Must the Audience value in the Assertions Spec
> be a URI?****
> ** **
> Agreed.****
> ** **
> We need to clarify that the value of the audience claim can be multi
> valued as well. ****
> ** **
> John B.****
> ** **
> On 2012-12-26, at 10:43 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
>
> ****
>
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-5.1 currently
> says:****
>  ****
>
>    Audience  A URI that identifies the party intended to process the****
>
>       assertion.  The audience SHOULD be the URL of the Token Endpoint****
>
>       as defined in Section 3.2 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].****
>
>  ****
>
> I think that “URI” should be changed to “value”, since audience values in
> general need not be URIs.  In particular, in some contexts OAuth client_id
> values are used as audience values, and they need not be URIs.  Also, SAML
> allows multiple audiences (and indeed, the OAuth SAML profile is written in
> terms of “an audience value” – not “the audience value”), and so the
> generic Assertions spec should do likewise.****
>  ****
> Thus, I would propose changing the text above to the following:****
>  ****
>
>    Audience  A value that identifies the parties intended to process the****
>
>       assertion.  An audience value SHOULD be the URL of the Token Endpoint****
>
>       as defined in Section 3.2 <http://tools.ietf.org/html/draft-ietf-oauth-assertions-08#section-3.2> of OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>].****
>
>  ****
>                                                             -- Mike****
>  ****
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email